It looks like your solution just automatically lets everyone in. Would be better if you modified it to show how you could create a whitelist of known domains that were acceptable. Like http://brockallen.com/2012/06/28/cors-support-in-webapi-mvc-and-iis-with-thinktecture-identitymodel/
Thanks,
Paul

I had the same problem with the project (in VS2012), the MvcApp sever returned internal server error for evry request.
Adding the CorseHandler.cs handler and adding the proper line in Global.asax.cs (GlobalConfiguration.Configuration.MessageHandlers.Add(new CorsHandler());) worked perfectly for me.

Hi
I have downloaded your code and I have hosted on IIS server and call it from different browsers (Cross browser), and every time it is giving an error not calling action of controller. Is dere any thing wrong with code sample.

Working on IE 9 w/cookies:
Origin: app.foo.com
WebApi: app.foo.com:8080
Not working on FF 19.0.2 with cookies:
Origin: app.foo.com
WebApi: app.foo.com:8080
Not Working on FF 19.0.2 with cookies:
Origin: app.foo.com
WebApi: svc.foo.com
Not Working on IE 9 at all, no request made:
Origin: app.foo.com
WebApi: svc.foo.com
Sorry for the multiple posts. Any help would be oh so appreciated. I am using jQuery to make the requests - all GET requests so far.
Thanks!!!

I was wrong and right in my earlier question. I can get this to work from IE (cookies and all) if the origin & webapi urls are the same but differ by port. E.g. origin (app.foo.com) webapi (api.foo.com or api.bar.com).
Any ideas how or if this can work?

First - great post!
I got this to work with IE & FF but FF won't send cookies even though I return Access-Control-Allow-Credentials: true.
Any thoughts about if this can work with FF (and eventually Safari & Chrome)?
Thanks!

Not sure why you defined constants for Origin, AccessControlRequestMethod, etc... and then didn't include them in your code example. Makes it pretty confusing for anyone trying to work from the code sample without downloading your whole project.